diff options
| author | Martin Matuska <mm@FreeBSD.org> | 2022-04-03 12:21:28 +0000 |
|---|---|---|
| committer | Martin Matuska <mm@FreeBSD.org> | 2022-12-28 22:15:58 +0000 |
| commit | c237fe8275a3532c6f9e686a9f8cf9aaeb8b168e (patch) | |
| tree | 0335b99efe11ad161d2fc3c08679bef97f30a536 | |
| parent | d9a2aa38186be58c2a296aface3ac51dba688a86 (diff) | |
| download | src-c237fe8275a3532c6f9e686a9f8cf9aaeb8b168e.tar.gz src-c237fe8275a3532c6f9e686a9f8cf9aaeb8b168e.zip | |
libarchive: merge vendor bugfixes
Bugfixes:
IS #1685 and OSS-Fuzz #38764 (security):
(ISO reader) fix possible heap buffer overflow in read_children()
IS #1715 and OSS-Fuzz #46279 (security):
(RARv4 reader) fix heap-use-after-free in run_filters()
(cherry picked from commit 9f690fcfdc050f566466ac10cca29ff43bf4fe92)
| -rw-r--r-- | contrib/libarchive/libarchive/archive_read_support_format_iso9660.c | 3 | ||||
| -rw-r--r-- | contrib/libarchive/libarchive/archive_read_support_format_rar.c | 17 |
2 files changed, 19 insertions, 1 deletions
diff --git a/contrib/libarchive/libarchive/archive_read_support_format_iso9660.c b/contrib/libarchive/libarchive/archive_read_support_format_iso9660.c index 806f36cbe10b..15ded7c561e5 100644 --- a/contrib/libarchive/libarchive/archive_read_support_format_iso9660.c +++ b/contrib/libarchive/libarchive/archive_read_support_format_iso9660.c @@ -1007,7 +1007,8 @@ read_children(struct archive_read *a, struct file_info *parent) p = b; b += iso9660->logical_block_size; step -= iso9660->logical_block_size; - for (; *p != 0 && p < b && p + *p <= b; p += *p) { + for (; *p != 0 && p + DR_name_offset < b && p + *p <= b; + p += *p) { struct file_info *child; /* N.B.: these special directory identifiers diff --git a/contrib/libarchive/libarchive/archive_read_support_format_rar.c b/contrib/libarchive/libarchive/archive_read_support_format_rar.c index 7a7318522650..f9cbe2a8810d 100644 --- a/contrib/libarchive/libarchive/archive_read_support_format_rar.c +++ b/contrib/libarchive/libarchive/archive_read_support_format_rar.c @@ -3328,6 +3328,7 @@ run_filters(struct archive_read *a) struct rar *rar = (struct rar *)(a->format->data); struct rar_filters *filters = &rar->filters; struct rar_filter *filter = filters->stack; + struct rar_filter *f; size_t start, end; int64_t tend; uint32_t lastfilteraddress; @@ -3345,6 +3346,22 @@ run_filters(struct archive_read *a) ret = expand(a, &tend); if (ret != ARCHIVE_OK) return 0; + + /* Check if filter stack was modified in expand() */ + ret = ARCHIVE_FATAL; + f = filters->stack; + while (f) + { + if (f == filter) + { + ret = ARCHIVE_OK; + break; + } + f = f->next; + } + if (ret != ARCHIVE_OK) + return 0; + if (tend < 0) return 0; end = (size_t)tend; |